maven plugin - How can I generate SBOM in sub-module and get an aggregated SBOM? Regression with makeAggregateBom since 2.7.4 - outputReactorProjects has no effect

I have a multi module maven project which I'd like to create an SBOM on each module and get an Aggregated BOM on the root-folder with cyclonedx-maven-plugin.

When I execute the following command :

mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.2:makeAggregateBom -DoutputReactorProjects=true -DoutputFormat=xml -B

I have an Aggregated BOM on the root target folder and also BOM inside each module. That's the expected behavior. In some case, if it's needed, I put the property "outputReactorProjects" to false to only get the aggregated bom on the root target folder.

Since 2.7.4, the property "outputReactorProjects" has no effect and I never get the BOM inside the module if I use the "makeAggregateBom" goal. Just like if the property is set to false ( https://cyclonedx.github.io/cyclonedx-maven-plugin/makeAggregateBom-mojo.html#outputReactorProjects )

Following documenation we can still produced an Aggregated BOM and a BOM inside the sub-module : "makeAggregateBom: creates an aggregate BOM at build root (with dependencies from the whole multi-modules build), and eventually a BOM for each module"

Case reproduced with Maven 3.8.5 and Maven 3.9.0, Plugin version 2.7.4, 2.7.5 and 2.7.9.

I have tried these commands :

mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.2:makeAggregateBom -DoutputReactorProjects=true -DoutputFormat=xml -B

---> Root SBOM and Sub-Modules

mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.2:makeAggregateBom -DoutputReactorProjects=false -DoutputFormat=xml -B

---> Root SBOM only

mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.4:makeAggregateBom -DoutputReactorProjects=true -DoutputFormat=xml -B

---> Root SBOM only

mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.4:makeAggregateBom -DoutputReactorProjects=false -DoutputFormat=xml -B

---> Root SBOM only

mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom -DoutputReactorProjects=true -DoutputFormat=xml -B

---> Root SBOM only

mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom -DoutputReactorProjects=false -DoutputFormat=xml -B

asked Aug 29, 2023 at 10:43

bendwe

213 bronze badges

have you searched existing questions or considered asking via the original support path? github.com/CycloneDX/cyclonedx-maven-plugin/issues

jko
– jko

2024-07-22 11:11:10 +00:00
Commented Jul 22, 2024 at 11:11

Add a comment |

0 Your Answer

Sign up or log in

Post as a guest

Name

Required, but never shown

Post as a guest

Name

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.

Collectives™ on Stack Overflow

How can I generate SBOM in sub-module and get an aggregated SBOM? Regression with makeAggregateBom since 2.7.4 - outputReactorProjects has no effect

0

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

0

Know someone who can answer? Share a link to this question via email, Twitter, or Facebook.

Your Answer

Sign up or log in

Post as a guest